Privacy Roundup #0181 • August 2021
Apple's plan to scan iPhones for child abuse imagery dominated the month, while record breaches at T-Mobile and a flood of leaks, ransomware thefts and new surveillance laws kept regulators and researchers busy.
1. Apple's plan to scan iPhones opens a backdoor to your private life
Apple announced that it would scan photos on iPhones and in iCloud against a database of known child abuse imagery before upload. The EFF warned that even a narrowly scoped backdoor is still a backdoor and that the system invites pressure for wider surveillance.
2. Facebook cuts off NYU researchers studying political ads
Facebook disabled the accounts of NYU academics behind the Ad Observer project, which tracked how political adverts were targeted. The company cited privacy, but lawmakers and researchers accused it of shielding itself from accountability.
3. Crypto surveillance provision buried in the infrastructure bill
The EFF flagged a provision in the Senate infrastructure bill that would expand the definition of broker to force many in the cryptocurrency world to collect user names and addresses. The group warned that the vague language amounted to a new financial surveillance mandate.
4. Apple's surveillance system would invite censorship worldwide
The EFF argued that once Apple built scanning infrastructure into its phones, governments would press to expand it beyond child abuse imagery. The group noted that countries already demanding content pre-screening could redirect the tool against political speech.
5. Hacker drains $600 million from Poly Network
An attacker exploited a flaw in the Poly Network cross-chain platform and moved more than 600 million dollars in cryptocurrency to addresses under their control. Because every transaction is recorded on a public ledger, the funds were traced and almost all of them were returned.
6. Accenture confirms breach after LockBit ransomware attack
Consultancy giant Accenture acknowledged that the LockBit gang stole data during an attack on its systems. The criminals claimed to have taken six terabytes of files and demanded a 50 million dollar ransom.
7. T-Mobile breach exposed personal data of more than 40 million people
T-Mobile confirmed that intruders stole the names, dates of birth, Social Security numbers and driving licence details of tens of millions of current, former and prospective customers. The admission came days after the records went up for sale on a cybercrime forum.
8. Secret terrorist watchlist with nearly two million records exposed online
A researcher found an unsecured server holding around 1.9 million records from the FBI's terrorist screening database, including names, passport details and no-fly status. The list sat exposed for three weeks before it was taken offline.
9. Researchers fool Apple's NeuralHash before it ships
After developers extracted Apple's NeuralHash algorithm, security researchers produced two different images that generated the same hash. The collisions raised doubts about whether the scanning system could be trusted to match only genuine child abuse imagery.
10. Apple's Mail Privacy Protection takes aim at email tracking pixels
Apple detailed how its forthcoming Mail Privacy Protection would hide users' IP addresses and locations from the invisible pixels marketers embed in emails. The change threatened to break the open and location tracking that the email marketing industry relies upon.
11. Japanese exchange Liquid loses $94 million in wallet hack
Attackers compromised the warm wallets of the Tokyo cryptocurrency exchange Liquid and stole assets worth at least 94 million dollars. The firm moved its remaining funds into offline cold storage as it worked to expel the intruders.
12. Illinois bought invasive phone location data from banned broker SafeGraph
The EFF revealed that the Illinois transport department paid 49,500 dollars for precise location data covering more than 40 per cent of the state's residents. The seller was SafeGraph, a broker that Google had already banned from its app store.
13. China passes its first comprehensive data protection law
China's legislature adopted the Personal Information Protection Law, a sweeping statute modelled in part on the European GDPR. It requires consent for processing sensitive data such as biometrics and location, and threatens fines of up to five per cent of annual revenue.
14. Misconfigured Microsoft Power Apps exposed 38 million records
Researchers at UpGuard found that more than a thousand Power Apps portals were configured to expose their data to anyone who asked. The leak revealed 38 million records, including Social Security numbers, vaccination details and contact tracing data, across firms and government agencies.
15. Data brokers sell access to internet backbone traffic
Bruce Schneier highlighted how brokers commercially distribute netflow data gathered from the internet's backbone infrastructure. He warned that this trade can be used to trace activity that people believe a VPN keeps private.
16. ChaosDB flaw let attackers reach any Azure Cosmos DB account
Cloud security firm Wiz disclosed a vulnerability in Azure Cosmos DB that allowed one customer to obtain the access keys of another. Microsoft warned affected customers and disabled the vulnerable notebook feature, though it could not rule out earlier abuse.
17. Court lets biometric privacy lawsuit against Clearview AI proceed
An Illinois court rejected Clearview AI's First Amendment defence and upheld the state's opt-in consent rule for faceprints. The judge said the firm had blindly created billions of faceprints without regard for whether the practice was legal.
18. Bangkok Airways passenger data leaked after LockBit attack
Bangkok Airways refused to pay the LockBit gang, which then published more than 100 gigabytes of stolen files. The dump included passenger names, nationalities, passport details and travel histories.
19. EFF presses Council of Europe to fix a police surveillance treaty
The EFF and allied groups submitted detailed recommendations on a draft cross-border police surveillance treaty under review by the Council of Europe. They urged judicial oversight and limits on direct law enforcement access to subscriber data.
20. Global coalition asks Tim Cook to halt phone scanning
The EFF joined more than ninety organisations in an open letter urging Apple's chief executive to abandon the on-device scanning plans. The signatories said the features would weaken privacy and security for users worldwide.
Enjoyed this post?
Well, you could share the post with others, follow me with RSS Feeds and/or send me a comment via email.
Tags
Category:
Year: